Operation Auditing
audit_system_object
Parameter description: Specifies whether to audit the CREATE, DROP, and ALTER operations on database objects. Database objects include databases, users, schemas, and tables. You can change the value of this parameter to audit only the operations on required database objects. In the scenario where the leader node is forcibly selected, you are advised to set audit_system_object to the maximum value and audit all DDL objects.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: an integer ranging from 0 to 536870911
- 0 indicates that the function of auditing the CREATE, DROP, and ALTER operations on database objects can be disabled.
- Other values indicate that the CREATE, DROP, and ALTER operations on a certain or some database objects are audited.
Value description:
The value of this parameter is calculated by 29 binary bits. The 29 binary bits represent 29 types of database objects. If the corresponding binary bit is set to 0, the CREATE, DROP, and ALTER operations on corresponding database objects are not audited. If it is set to 1, the CREATE, DROP, and ALTER operations are audited. For details about the audit contents represented by these 29 binary bits, see Table 1.
When SQL patches are audited and audit_dml_state_select are enabled, an SQL patch operation will be audited twice and recorded as DML and DDL operations in the audit log, respectively. If a remote interface is invoked, the DDL logs are generated on the node corresponding to the input parameter, instead of on the node where the statement is issued.
Default value: 67121159, indicating that DDL operations on databases, schemas, users, data sources, node groups, and SQL patches are audited.
Binary Bit |
Description |
Value Range |
---|---|---|
Bit 0 |
Whether to audit the CREATE, DROP, and ALTER operations on databases. |
|
Bit 1 |
Whether to audit the CREATE, DROP, and ALTER operations on schemas. |
|
Bit 2 |
Whether to audit the CREATE, DROP, and ALTER operations on users and user mappings. |
|
Bit 3 |
Whether to audit the CREATE, DROP, ALTER, and TRUNCATE operations on tables. |
|
Bit 4 |
Whether to audit the CREATE, DROP, and ALTER operations on indexes. |
|
Bit 5 |
Whether to audit the CREATE and DROP operations on VIEW and MATVIEW objects. |
|
Bit 6 |
Whether to audit the CREATE, DROP, and ALTER operations on triggers. |
|
Bit 7 |
Whether to audit the CREATE, DROP, and ALTER operations on procedures/functions. |
|
Bit 8 |
Whether to audit the CREATE, DROP, and ALTER operations on tablespaces. |
|
Bit 9 |
Whether to audit the CREATE, DROP, and ALTER operations on resource pools. |
|
Bit 10 |
Whether to audit the CREATE, DROP, and ALTER operations on workloads. |
|
Bit 11 |
Reserved |
- |
Bit 12 |
Whether to audit the CREATE, DROP, and ALTER operations on data sources. |
|
Bit 13 |
Whether to audit the CREATE and DROP operations on node groups. |
|
Bit 14 |
Whether to audit the CREATE, DROP, and ALTER operations on ROW LEVEL SECURITY objects. |
|
Bit 15 |
Whether to audit the CREATE, DROP, and ALTER operations on types. |
|
Bit 16 |
Whether to audit the CREATE, DROP, and ALTER operations on text search objects (CONFIGURATION and DICTIONARY). |
|
Bit 17 |
Whether to audit the CREATE, DROP, and ALTER operations on directories. |
|
Bit 18 |
Whether to audit the CREATE, DROP, and ALTER operations on synonyms. |
|
Bit 19 |
Whether to audit the CREATE, DROP, and ALTER operations on sequences. |
|
Bit 20 |
Whether to audit the CREATE, ALTER, and DROP operations on CMKs and CEKs. |
|
Bit 21 |
Whether to audit the CREATE, DROP, and ALTER operations on packages. (Currently, the operations on packages can be audited only in the centralized deployment scenario.) |
|
Bit 22 |
Reserved |
- |
Bit 23 |
Reserved |
- |
Bit 24 |
Whether to audit the ALTER and DROP operations on the gs_global_config objects. |
|
Bit 25 |
Reserved |
- |
Bit 26 |
Whether to audit the CREATE, ENABLE, DISABLE, and DROP operations on SQL patches. |
|
Bit 27 |
Reserved |
- |
Bit 28 |
Whether to audit the CREATE, ALTER, and DROP operations on database links. Currently, the database link function is not supported. |
|
audit_dml_state
Parameter description: Specifies whether to audit the INSERT, UPDATE, and DELETE operations on a specific table.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: an integer, 0 or 1
- 0 indicates that the function of auditing the DML operations (except SELECT) is disabled.
- 1 indicates that the function of auditing the DML operations (except SELECT) is enabled.
Default value: 0
audit_dml_state_select
Parameter description: Specifies whether to audit the SELECT operation.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: an integer, 0 or 1
- 0 indicates that auditing the SELECT operation is disabled.
- 1 indicates that auditing the SELECT operation is enabled.
Default value: 0
audit_function_exec
Parameter description: Specifies whether to record the audit information during the execution of the stored procedures, anonymous blocks, or user-defined functions (excluding system functions).
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the function of auditing the procedure or function execution is disabled.
- 1 indicates that the function of auditing the procedure or function execution is enabled.
Default value: 0
audit_system_function_exec
Parameter description: Specifies whether to record audit logs when system functions in the whitelist are executed.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the function of auditing the execution of system functions is disabled.
- 1 indicates that the function of auditing system function execution is enabled.
Default value: 0
The following table lists the whitelist of system functions that can be audited.
set_working_grand_version_num_manually |
set_config |
pg_terminate_backend |
pg_cancel_backend |
pg_cancel_session |
pg_cancel_invalid_query |
pg_reload_conf |
pg_rotate_logfile |
pg_terminate_session |
pg_terminate_backend |
pg_start_backup |
pg_stop_backup |
pg_create_restore_point |
pg_switch_xlog |
pg_cbm_get_merged_file |
pg_cbm_recycle_file |
pg_enable_delay_ddl_recycle |
pg_disable_delay_ddl_recycle |
pg_cbm_rotate_file |
gs_roach_enable_delay_ddl_recycle |
gs_roach_disable_delay_ddl_recycle |
gs_roach_stop_backup |
pg_last_xlog_receive_location |
pg_xlog_replay_pause |
pg_xlog_replay_resume |
gs_roach_switch_xlog |
gs_pitr_archive_slot_force_advance |
gs_pitr_clean_history_global_barriers |
gs_download_obs_file |
gs_upload_obs_file |
gs_set_obs_file_context |
gs_set_obs_delete_location |
gs_hadr_do_switchover |
gs_set_obs_delete_location_with_slotname |
gs_streaming_dr_in_switchover |
pg_advisory_lock |
pg_advisory_lock_shared |
pg_advisory_unlock |
pg_advisory_unlock_shared |
pg_advisory_unlock_all |
pg_advisory_xact_lock |
pg_advisory_xact_lock_shared |
pg_try_advisory_lock |
pg_try_advisory_lock_shared |
pg_try_advisory_xact_lock |
pg_try_advisory_xact_lock_shared |
gs_get_hadr_key_cn |
pg_create_physical_replication_slot_extern |
pg_create_logical_replication_slot |
pg_drop_replication_slot |
pg_logical_slot_peek_changes |
pg_logical_slot_get_changes |
pg_logical_slot_get_binary_changes |
pg_replication_origin_drop |
pg_replication_origin_session_reset |
local_space_shrink |
gs_space_shrink |
global_space_shrink |
pg_free_remain_segment |
gs_fault_inject |
sqladvisor.init |
sqladvisor.set_weight_params |
sqladvisor.set_cost_params |
sqladvisor.assign_table_type |
gs_repair_file |
local_clear_bad_block_info |
gs_repair_page |
- |
- |
- |
- |
- |
audit_copy_exec
Parameter description: Specifies whether to audit the COPY operation.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: an integer, 0 or 1
- 0 indicates that auditing the COPY operation is disabled.
- 1 indicates that auditing the COPY operation is enabled.
Default value: 1
audit_set_parameter
Parameter description: Specifies whether to audit the SET operation.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: an integer, 0 or 1
- 0 indicates that auditing the SET operation is disabled.
- 1 indicates that auditing the SET operation is enabled.
Default value: 0
audit_xid_info
Parameter description: Specifies whether to record the transaction ID of the SQL statement in the detail_info column of the audit log.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: an integer, 0 or 1
- 0 indicates that the function of recording transaction IDs in the audit log is disabled.
- 1 indicates that the function of recording transaction IDs in the audit log is enabled.
Default value: 0
If this function is enabled, the detail_info information in the audit log starts with xid. For example:
detail_info: xid=14619 , create table t1(id int);
If transaction IDs do not exist, xid is recorded as NA in the audit log.
enableSeparationOfDuty
Parameter description: Specifies whether the separation of duties is enabled.
This parameter is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Value range: Boolean
- on indicates that the separation of duties is enabled.
- off indicates that the separation of duties is disabled.
Default value: off
enable_nonsysadmin_execute_direct
Parameter description: Specifies whether non-system administrator and non-monitor administrator users are allowed to execute the EXECUTE DIRECT ON statement.
This parameter is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Value range: Boolean
- on indicates that any user is allowed to execute the EXECUTE DIRECT ON statement.
- off indicates that only the system administrator and monitor administrator are allowed to execute the EXECUTE DIRECT ON statement.
Default value: off
enable_access_server_directory
Parameter description: Specifies whether to allow non-initial users to create, modify, and delete directories.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: Boolean
- on indicates that non-initial users have the permission to create, modify, and delete directories.
- off indicates that non-initial users do not have the permission to create, modify, and delete directories.
Default value: off
To use the advanced package UTL_FILE to access files on the server, you must have the permissions on the specified directory.
For security purposes, only the initial user can create, modify, and delete directories by default.
If enable_access_server_directory is enabled, users with the SYSADMIN permission and users who inherit the gs_role_directory_create permission of the built-in role can create directories. A user with the SYSADMIN permission, the owner of a directory, a user who is granted with the DROP permission for the directory, or a user who inherits the gs_role_directory_drop permission of the built-in role can delete the directory. A user with the SYSADMIN permission and the owner of a directory object can change the owner of the directory, and the user must be a member of the new owning role.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot